Government gets access to Microsoft source code

Security agencies allowed to tinker with Windows to ensure safety of software systems

Email this to a friend

The government has agreed to participate in Microsoft's GSP (government security program), which provides it with access to Windows source code in an effort to ensure its systems are safe.

The program gives the security community in the government controlled access to the code and other technical information.

Andrew Pinder, head of the government unit that looks after IT security signed the agreement and in a Cabinet Office statement Friday, he said the government would benefit from a clearer view of the security design of Microsoft products and the opportunity to influence future products.

Governments that join the GSP will be given smartcards that allow authorised staff to view the code over a secure channel. They will have access to both the source code and to Microsoft's cryptographic code and a cryptographic development kit.

Government departments will be allowed to alter the code, but only to evaluate any vulnerabilities, said Microsoft's Stuart Okin. They will not be allowed to package or distribute the altered code. Instead, they can take it to Microsoft and "we would take that under advisement," he said.

Government agencies can simulate threats and assess vulnerabilities in addition to inspecting the code line by line. They also are invited to work with Microsoft security professionals in the UK as well as the company's hometown of Redmond. They will be able to review Windows source code development, testing and deployment processes and give feedback directly to Microsoft.

Asked how the government can be sure it is seeing the true source code, Cabinet Office spokeswoman Kathryn Fisher said the government has "entered the agreement on a basis of trust."

The agreement will allow the government to influence the design of future products, Fisher said, by going back to Microsoft with suggested modifications.

Two units will use the source code: the Central Sponsor for Information Assurance, within the Cabinet Office, which is run by Pinder, and the Communications and Electronics Security Group IT security group within the Government Communications Headquarters, Fisher said.

Microsoft views any government that uses its software as a trusted partner, and the GSP allows governments to assess the security and integrity of its products. But, Okin qualified that by saying only those governments with a minimum level of intellectual property laws would be accepted. "We think there are 60 or so governments that qualify," he said.